Protect Your Servers

Protecting clients is important because attackers often use poorly secured clients to launch attacks against other devices. But your servers are even more importantthis is, after all, where your data is, and where you and your customers and business partners intersect. If someone compromises your servers, your business pretty much just stopsand you can't do anything until you recover.

No matter what size of business you run, good physical security for servers is paramount. Never put any kind of server underneath someone's desk; no single location attracts more thieves and spilled coffee than this one popular office storage space. Servers belong in a locked room or cabinetor at least shackled with a strong lock and cable to something large and immobile. Keep track of who has access to the room and change the key lock or combination every so often to (re-)ensure that only authorized people have access. Keep track of asset information such as model and serial numbers , which are often required if you need to make an insurance claim against damaged or stolen equipment.

Be sure your antivirus and anti-spyware programs are running on your servers, too. Worms, viruses, and Trojans don't know the difference between servers and clientsa computer is a computer is a computer. Unprotected servers often become the launching point for attacks against other computers; a server that's trying to infect the entire Internet isn't going to be too useful for anything else. (If you know that you'll never surf the Internet from your servers, you can safely omit the anti-spyware.) Likewise, keep your servers up-to-date with patches and service packs . Some people rely on automatic updates; others prefer to manually apply updates to servers. Regardless of your approach, do keep your servers updated; use the Microsoft Baseline Security Analyzer ^[7] (MBSA) to identify common misconfigurations and missing updates. To automate some of the steps for keeping an Exchange server current, download the Exchange Server Best Practices Analyzer Tool, ^[8] which compares your server's configuration to the best practices Microsoft recommends for Exchange Server 2000 and 2003.

^[7] http://www.microsoft.com/technet/security/tools/mbsahome.mspx.

^[8] http://www.microsoft.com/exchange/downloads/2003/exbpa/default.mspx.

Database servers deserve special attention. Many common business software products run in (at least) two tiersa Web tier that handles all the presentation and business logic, and a database tier that stores all the information you interact with and store. All too often, people think only of securing the Web server and ignore the security on the databasebut in most instances the attackers are interested in what's in the database and often just ignore the Web server if they can compromise the database server directly. ^[9] So, it's critical that you keep your database server, whether it's just MSDE or the full Microsoft SQL Server, current with all service packs and updates. And if you have any influence with your application vendor, make sure that the application and database use Windows authentication and validate all inputSQL authentication is almost always passed in clear text with a blank password; unvalidated input leads to common SQL injection attacks that can give an attacker complete control of the database server. ^[10]

^[9] Remember in Chapter 2, "Anatomy of a Hack: The Rise and Fall of Your Network," the first computer to get compromised was the database server.

^[10] Refer again to Chapter 2. See also http://msdn.microsoft.com/library/en-us/dnnetsec/html/openhack.asp for a fascinating discussion of these attacks. There is, unfortunately , very little that you can do to fix broken third-party applications yourself, but you might enlist the aid of a techie friend to find a flaw or two and alert the vendor about the vulnerability.

Storing Client Information on Servers

Client computers often store mission-critical information: business plans, financial data, any kind of intellectual property the users are creating or updating. You can help protect this information by bringing it under the domain of your servers with a couple interesting technologies built in to Windows.

Roaming Profiles

Windows keeps a lot of information about users in profiles Registry keys, desktop icons, favorites, program files and links and settings, document folders, and so on. You can move a user 's profile off the local computer and onto a server using roaming profiles . Now this information gets backed up according to whatever schedule you've implemented. It also allows users to move from computer to computer and have all their settings follow.

To set up roaming profiles, first create a folder on your server to hold all the profiles. Share this folder to the network and give all users full control (the default NTFS permissions tighten down access appropriately). Then in Active Directory Users and Computers modify the profile location for each user (the Profile tab in Properties). Enter the folder for this specific user; \\ servername \profileshare\%USERNAME% works in all cases. Windows creates subfolders and sets permissions appropriately; you don't need to manage that.

Redirecting Folders and Offline Storage

As with user profiles, you can also configure clients to store documents and other content on network shares instead of on local hard drives . And just like with profiles, by moving documents to server storage they are better protected from loss because they get backed up.

Setting up folder redirection is similar to setting up roaming profiles. SBS 2003 includes a Configure My Documents redirection wizard that automates setting up folder redirection, but it redirects only the My Documents folder, which isn't enough to keep a client completely backed up. So instead, we recommend you configure folder redirection manually. Create a folder on your server to hold everyone's document subfolders. Share this folder to the network and give all users full control. Then in Active Directory Users and Computers, create a new Group Policy object in the domain (or organizational unit) containing your users. Edit this GPO and navigate to User Configuration Windows Settings Folder Redirection . Redirect My Documents, My Pictures, Application Data , and Desktop ; don't redirect Start Menu . Configure basic redirection for each and use \\servername\redirectshare\%USERNAME% in all cases.

Sometimes administrators choose not to redirect Application Data and Desktop and instead allow them to roam with the profile. But by redirecting them, you can often reduce the amount of time it takes for a user to log on, which is especially important if mobile users are on slow links. A few applications behave improperly when Application Data is redirected; test this if you see erratic results.

A downside of moving personal storage to the server is that users must be connected to the network to work on their files. Windows has a feature that "mirrors" server content to local folders to alleviate this problem; the feature is especially useful for mobile computers. Windows XP automatically makes redirected folders available offline, so there's nothing you need to do here. The default setting is to automatically cache files so that the operation is transparent to the user. When users log off, any changes made to files are automatically synchronized so that the network and local versions are identical.

Various Group Policy settings enable you to change the synchronization behavioryou can schedule it to occur at certain times or to occur whenever the computer is idle. You can even choose to encrypt the offline files cache with EFS, which is a good idea for mobile computers. See Chapter 6 in the Windows XP Professional Resource Kit for all the details on configuring offline storage with folder redirection.

Extending Server Protection to Clients

An important tenet of information security is the principle of least privilege . Alas it's so easy (and too common) to give everyone administrator access to all resourceseverything is guaranteed to work when you do this. Everything is also guaranteed to be compromised eventually, too, because malware runs in the same user context as whoever's logged on to the box. And users running as administrators will execute malware as administrators, which very likely can permit successful attack of your servers.

Throughout the book, we discuss technologies such as group policy and software restriction policies (SRPs), technologies you can use to manage all your clients from your servers and to help keep those servers protected. SBS includes Active Direcotry, which means that group policy and SRPs are already there, just waiting for you to use. Group policy can apply many security settings and permissions automatically, keeping you out of the business of manually configuring (and making mistakes on) the settings of each of your client computers. User-based roles, such as "sales rep" or "admin assistant," help you assign consistent privileges and permissions to users; each role's set of allowed behaviors should be consistent with whatever that role's job duties happen to be. ^[11] Create organizational units that reflect the roles of users and computers and apply settings to them. Then group those resources together into the appropriate organizational units, and all of the security settings you defined at the OU are automatically assigned to the resources.

^[11] Although not written with small businesses in mind, many of the principles described in the Windows Server 2003 Security Guide and the Windows XP Security Guide are very appropriate here, especially the use of AD group policy to grant privileges and assign permissions by role.

Add WUS for centralized updating and (after it gets released) Audit Collection Services (ACS) ^[12] for centralized monitoring and from a single location you can keep track of what your clients are doing and keep them updated. Finally, configure roaming user profiles and local folder redirection with offline filesnow clients are disposable; a compromised client is something you can "nuke and pave" quickly without worrying about lost data or extended downtime.

^[12] Not released as of this writing.

Think about the roles of computers and people, and take advantage of these technologies to simplify your work. By automating these settings, which can prevent users from installing or running unapproved software and limiting which resources users can access, you can advance far along the path toward strong effective protectionand quite possibly ahead of your competitors , too.